From 316cde47596484300eaedfa09ad48b9af0f5ba3a Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 9 Oct 2023 09:59:51 +0200 Subject: [PATCH 1/5] Add support for more http-related configs * keycloak_quarkus_http_relative_path var now populate http-relative-path config [breaking change] * http-relative-path defaults to / [breaking change] * enable configuration of hostname-url and hostname-admin-url --- molecule/quarkus-devmode/converge.yml | 1 - molecule/quarkus/converge.yml | 1 - roles/keycloak_quarkus/README.md | 6 ++++-- roles/keycloak_quarkus/defaults/main.yml | 8 ++++++-- roles/keycloak_quarkus/meta/argument_specs.yml | 12 +++++++++--- roles/keycloak_quarkus/templates/keycloak.conf.j2 | 10 ++++++++-- 6 files changed, 27 insertions(+), 11 deletions(-) diff --git a/molecule/quarkus-devmode/converge.yml b/molecule/quarkus-devmode/converge.yml index b484120..6cbe7d8 100644 --- a/molecule/quarkus-devmode/converge.yml +++ b/molecule/quarkus-devmode/converge.yml @@ -5,7 +5,6 @@ keycloak_quarkus_admin_pass: "remembertochangeme" keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm - keycloak_quarkus_http_relative_path: '' keycloak_quarkus_log: file keycloak_quarkus_frontend_url: 'http://localhost:8080/' keycloak_quarkus_start_dev: True diff --git a/molecule/quarkus/converge.yml b/molecule/quarkus/converge.yml index cb35230..43e2215 100644 --- a/molecule/quarkus/converge.yml +++ b/molecule/quarkus/converge.yml @@ -6,7 +6,6 @@ keycloak_admin_password: "remembertochangeme" keycloak_realm: TestRealm keycloak_quarkus_host: instance - keycloak_quarkus_http_relative_path: '' keycloak_quarkus_log: file keycloak_quarkus_https_enabled: True keycloak_quarkus_key_file: "{{ keycloak.home }}/conf/key.pem" diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 1a50a00..7108780 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -24,6 +24,7 @@ Role Defaults |`keycloak_quarkus_bind_address`| Address for binding service ports | `0.0.0.0` | |`keycloak_quarkus_host`| Hostname for the Keycloak server | `localhost` | |`keycloak_quarkus_port`| The port used by the proxy when exposing the hostname | `-1` | +|`keycloak_quarkus_path`| This should be set if proxy uses a different context-path for Keycloak | | |`keycloak_quarkus_http_port`| HTTP listening port | `8080` | |`keycloak_quarkus_https_port`| TLS HTTP listening port | `8443` | |`keycloak_quarkus_ajp_port`| AJP port | `8009` | @@ -34,8 +35,9 @@ Role Defaults |`keycloak_quarkus_jvm_package`| RHEL java package runtime | `java-17-openjdk-headless` | |`keycloak_quarkus_java_home`| JAVA_HOME of installed JRE, leave empty for using specified keycloak_quarkus_jvm_package RPM path | `None` | |`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` | -|`keycloak_quarkus_frontend_url`| Service public URL | `http://localhost:8080/auth` | -|`keycloak_quarkus_http_relative_path` | Service context path | `auth` | +|`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | | +|`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | | +|`keycloak_quarkus_http_relative_path` | Service context path | | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | |`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` | |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index d769a85..62cd05e 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -29,6 +29,7 @@ keycloak_quarkus_master_realm: master keycloak_quarkus_bind_address: 0.0.0.0 keycloak_quarkus_host: localhost keycloak_quarkus_port: -1 +keycloak_quarkus_path: '' keycloak_quarkus_http_enabled: True keycloak_quarkus_http_port: 8080 keycloak_quarkus_https_port: 8443 @@ -47,8 +48,11 @@ keycloak_quarkus_ha_enabled: False keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}" ### keycloak frontend url -keycloak_quarkus_http_relative_path: auth -keycloak_quarkus_frontend_url: http://localhost:8080/auth +keycloak_quarkus_frontend_url: '' +keycloak_quarkus_admin_url: '' + +### path under the application is exposed (set to `auth` for retrocompatibility with pre-quarkus releases) +keycloak_quarkus_http_relative_path: '' # proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough] keycloak_quarkus_proxy_mode: edge diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 32e550b..2dd32bb 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -97,6 +97,10 @@ argument_specs: default: -1 description: "The port used by the proxy when exposing the hostname" type: "int" + keycloak_quarkus_path: + default: "" + description: "This should be set if proxy uses a different context-path for Keycloak" + type: "str" keycloak_quarkus_http_enabled: default: true description: "Enable listener on HTTP port" @@ -149,14 +153,16 @@ argument_specs: description: "Enable auto configuration for database backend" type: "str" keycloak_quarkus_http_relative_path: - # line 41 of defaults/main.yml default: "auth" description: "Service context path" type: "str" keycloak_quarkus_frontend_url: - # line 41 of defaults/main.yml - default: "http://localhost:8080/auth" description: "Service public URL" + default: "" + type: "str" + keycloak_quarkus_admin_url: + description: "Service URL for the admin console" + default: "" type: "str" keycloak_quarkus_metrics_enabled: # line 43 of defaults/main.yml diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2 index 7285c48..e2c078a 100644 --- a/roles/keycloak_quarkus/templates/keycloak.conf.j2 +++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2 @@ -15,6 +15,7 @@ health-enabled={{ keycloak_quarkus_health_enabled }} # HTTP http-enabled={{ keycloak_quarkus_http_enabled }} http-port={{ keycloak_quarkus_http_port }} +http-relative-path={{ keycloak_quarkus_http_relative_path }} # HTTPS https-port={{ keycloak_quarkus_https_port }} @@ -23,10 +24,15 @@ https-certificate-file={{ keycloak_quarkus_cert_file}} https-certificate-key-file={{ keycloak_quarkus_key_file }} {% endif %} -# Hostname for the Keycloak server. +# Client URL configuration +{% if keycloak_quarkus_frontend_url %} +hostname-url={{ keycloak_quarkus_frontend_url }} +{% else %} hostname={{ keycloak_quarkus_host }} hostname-port={{ keycloak_quarkus_port }} -hostname-path={{ keycloak_quarkus_http_relative_path }} +hostname-path={{ keycloak_quarkus_path }} +{% endif %} +hostname-admin-url={{ keycloak_quarkus_admin_url }} # Cluster {% if keycloak_quarkus_ha_enabled %} From 8eb518528743fb2da8a15cc655b1e4ee8319eb42 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Wed, 25 Oct 2023 10:46:52 +0200 Subject: [PATCH 2/5] use relative path to build health url --- roles/keycloak_quarkus/vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/keycloak_quarkus/vars/main.yml b/roles/keycloak_quarkus/vars/main.yml index 1b3ef73..c3a9623 100644 --- a/roles/keycloak_quarkus/vars/main.yml +++ b/roles/keycloak_quarkus/vars/main.yml @@ -4,7 +4,7 @@ keycloak: config_dir: "{{ keycloak_quarkus_config_dir }}" bundle: "{{ keycloak_quarkus_archive }}" service_name: "keycloak" - health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}/realms/master/.well-known/openid-configuration" + health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}/{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path else '' }}realms/master/.well-known/openid-configuration" cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" service_user: "{{ keycloak_quarkus_service_user }}" service_group: "{{ keycloak_quarkus_service_group }}" From c8f968a5873e29e014aa7ccd1117f8e2748c8797 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 27 Oct 2023 15:42:42 +0200 Subject: [PATCH 3/5] cleanup vars --- roles/keycloak_quarkus/defaults/main.yml | 10 +++++----- roles/keycloak_quarkus/meta/argument_specs.yml | 14 ++++++-------- 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index 62cd05e..b38e921 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -22,14 +22,14 @@ keycloak_quarkus_configure_firewalld: False ### administrator console password keycloak_quarkus_admin_user: admin -keycloak_quarkus_admin_pass: '' +keycloak_quarkus_admin_pass: keycloak_quarkus_master_realm: master ### Configuration settings keycloak_quarkus_bind_address: 0.0.0.0 keycloak_quarkus_host: localhost keycloak_quarkus_port: -1 -keycloak_quarkus_path: '' +keycloak_quarkus_path: keycloak_quarkus_http_enabled: True keycloak_quarkus_http_port: 8080 keycloak_quarkus_https_port: 8443 @@ -48,11 +48,11 @@ keycloak_quarkus_ha_enabled: False keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False }}" ### keycloak frontend url -keycloak_quarkus_frontend_url: '' -keycloak_quarkus_admin_url: '' +keycloak_quarkus_frontend_url: +keycloak_quarkus_admin_url: ### path under the application is exposed (set to `auth` for retrocompatibility with pre-quarkus releases) -keycloak_quarkus_http_relative_path: '' +keycloak_quarkus_http_relative_path: # proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough] keycloak_quarkus_proxy_mode: edge diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 2dd32bb..9855aa5 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -70,13 +70,11 @@ argument_specs: description: "Ensure firewalld is running and configure keycloak ports" type: "bool" keycloak_quarkus_admin_user: - # line 22 of defaults/main.yml default: "admin" description: "Administration console user account" type: "str" keycloak_quarkus_admin_pass: - # line 23 of defaults/main.yml - default: "" + required: true description: "Password of console admin account" type: "str" keycloak_quarkus_master_realm: @@ -98,13 +96,13 @@ argument_specs: description: "The port used by the proxy when exposing the hostname" type: "int" keycloak_quarkus_path: - default: "" + required: false description: "This should be set if proxy uses a different context-path for Keycloak" type: "str" keycloak_quarkus_http_enabled: default: true description: "Enable listener on HTTP port" - type: "bool" + type: "bool" keycloak_quarkus_http_port: # line 29 of defaults/main.yml default: 8080 @@ -153,16 +151,16 @@ argument_specs: description: "Enable auto configuration for database backend" type: "str" keycloak_quarkus_http_relative_path: - default: "auth" + required: false description: "Service context path" type: "str" keycloak_quarkus_frontend_url: + required: false description: "Service public URL" - default: "" type: "str" keycloak_quarkus_admin_url: + required: false description: "Service URL for the admin console" - default: "" type: "str" keycloak_quarkus_metrics_enabled: # line 43 of defaults/main.yml From 880d70ffb988bc51d4db32188bc9ebf9e1e8f171 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 7 Nov 2023 10:21:05 +0100 Subject: [PATCH 4/5] enable https_revproxy test --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50e1fc4..6e5a542 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,4 +15,4 @@ jobs: with: fqcn: 'middleware_automation/keycloak' molecule_tests: >- - [ "default", "quarkus", "overridexml", "quarkus-devmode" ] + [ "default", "quarkus", "overridexml", "quarkus-devmode", "https_revproxy" ] From 0e510c093a3fbd9d2b964ed39f71eefd968b2522 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 13 Nov 2023 10:07:01 +0100 Subject: [PATCH 5/5] Set default keycloak_quarkus_http_relative_path as per upstream docs --- roles/keycloak_quarkus/README.md | 2 +- roles/keycloak_quarkus/defaults/main.yml | 5 +++-- roles/keycloak_quarkus/meta/argument_specs.yml | 3 ++- roles/keycloak_quarkus/vars/main.yml | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/roles/keycloak_quarkus/README.md b/roles/keycloak_quarkus/README.md index 7108780..30e7cd8 100644 --- a/roles/keycloak_quarkus/README.md +++ b/roles/keycloak_quarkus/README.md @@ -37,7 +37,7 @@ Role Defaults |`keycloak_quarkus_java_opts`| Additional JVM options | `-Xms1024m -Xmx2048m` | |`keycloak_quarkus_frontend_url`| Set the base URL for frontend URLs, including scheme, host, port and path | | |`keycloak_quarkus_admin_url`| Set the base URL for accessing the administration console, including scheme, host, port and path | | -|`keycloak_quarkus_http_relative_path` | Service context path | | +|`keycloak_quarkus_http_relative_path` | Set the path relative to / for serving resources. The path must start with a / | `/` | |`keycloak_quarkus_http_enabled`| Enable listener on HTTP port | `True` | |`keycloak_quarkus_https_enabled`| Enable listener on HTTPS port | `False` | |`keycloak_quarkus_key_file`| The file path to a private key in PEM format | `{{ keycloak.home }}/conf/server.key.pem` | diff --git a/roles/keycloak_quarkus/defaults/main.yml b/roles/keycloak_quarkus/defaults/main.yml index b38e921..e28d16f 100644 --- a/roles/keycloak_quarkus/defaults/main.yml +++ b/roles/keycloak_quarkus/defaults/main.yml @@ -51,8 +51,9 @@ keycloak_quarkus_db_enabled: "{{ True if keycloak_quarkus_ha_enabled else False keycloak_quarkus_frontend_url: keycloak_quarkus_admin_url: -### path under the application is exposed (set to `auth` for retrocompatibility with pre-quarkus releases) -keycloak_quarkus_http_relative_path: +### Set the path relative to / for serving resources. The path must start with a / +### (set to `/auth` for retrocompatibility with pre-quarkus releases) +keycloak_quarkus_http_relative_path: / # proxy address forwarding mode if the server is behind a reverse proxy. [none, edge, reencrypt, passthrough] keycloak_quarkus_proxy_mode: edge diff --git a/roles/keycloak_quarkus/meta/argument_specs.yml b/roles/keycloak_quarkus/meta/argument_specs.yml index 9855aa5..9f5d9de 100644 --- a/roles/keycloak_quarkus/meta/argument_specs.yml +++ b/roles/keycloak_quarkus/meta/argument_specs.yml @@ -152,7 +152,8 @@ argument_specs: type: "str" keycloak_quarkus_http_relative_path: required: false - description: "Service context path" + default: / + description: "Set the path relative to / for serving resources. The path must start with a /" type: "str" keycloak_quarkus_frontend_url: required: false diff --git a/roles/keycloak_quarkus/vars/main.yml b/roles/keycloak_quarkus/vars/main.yml index c3a9623..0ef6844 100644 --- a/roles/keycloak_quarkus/vars/main.yml +++ b/roles/keycloak_quarkus/vars/main.yml @@ -4,7 +4,7 @@ keycloak: config_dir: "{{ keycloak_quarkus_config_dir }}" bundle: "{{ keycloak_quarkus_archive }}" service_name: "keycloak" - health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}/{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path else '' }}realms/master/.well-known/openid-configuration" + health_url: "http://{{ keycloak_quarkus_host }}:{{ keycloak_quarkus_http_port }}{{ keycloak_quarkus_http_relative_path }}{{ '/' if keycloak_quarkus_http_relative_path | length > 1 else '' }}realms/master/.well-known/openid-configuration" cli_path: "{{ keycloak_quarkus_home }}/bin/kcadm.sh" service_user: "{{ keycloak_quarkus_service_user }}" service_group: "{{ keycloak_quarkus_service_group }}"